A device may receive rule information, associated with a firewall policy, that includes a set of N rules. The device may add a rule, of the set of N rules, to a detector tree associated with the firewall policy. The device may identify other rules to which the rule is to be compared. The other rules may be included in the set of N rules, and may include a quantity of rules approximately equal to a result of a logarithm to base 2 of N. The device may compare the rule and the other rules, and may detect a rule anomaly based on comparing the rule to the other rules. The rule anomaly may be associated with a conflict between the rule and a particular rule of the other rules. The device may identify the rule anomaly within the detector tree, and may output information regarding the rule anomaly.
Legal claims defining the scope of protection, as filed with the USPTO.
1. A method, comprising: identifying, by a device, a source network address associated with a rule for a firewall policy; identifying, by the device, a destination network address associated with the rule; determining, by the device, that the source network address differs from the destination network address at a particular bit; creating, by the device, an intermediate node with a particular bit index based on determining that the source network address differs from the destination network address at the particular bit; connecting, by the device, the intermediate node to a first leaf node that stores the source network address and information identifying the rule; and connecting, by the device, the intermediate node to a second leaf node that stores the destination network address and the information identifying the rule.
2. The method of claim 1 , where information identifies: a rule number; an address type; a service; and an action.
3. The method of claim 2 , where the service includes at least one of: a transmission control protocol; a user datagram protocol; an internet control message protocol; or a port number.
4. The method of claim 2 , where the action includes: an action to permit a packet that matches the rule; or an action to deny a packet that matches the rule.
5. The method of claim 1 , further comprising: comparing the source network address to the destination network address; and where determining that the source network address differs from the destination network address at the particular bit comprises: determining that the source network address differs from the destination network address at the particular bit based on comparing the source network address to the destination network address.
6. The method of claim 1 , where connecting the intermediate node to the first leaf node and second leaf node comprises: adding the rule to a detector tree, the detector tree being associated with the source network address and the destination network address.
7. The method of claim 1 , further comprising: generating a detector tree, the detector tree being associated with the information identifying the rule.
8. A device, comprising: one or more processors to: identify a source address associated with a rule for a firewall policy; identify a destination address associated with the rule; determine that the source address differs from the destination address at a particular bit; create an intermediate node with a particular bit index based on determining that the source address differs from the destination address at the particular bit; connect the intermediate node to a first leaf node that stores the source address and information identifying the rule; and connect the intermediate node to a second leaf node that stores the destination address and the information identifying the rule.
9. The device of claim 8 , where the information identifies: a rule number; an address type; a service; and an action.
10. The device of claim 9 , where the service includes at least one of: a transmission control protocol; a user datagram protocol; an internet control message protocol; or a port number.
11. The device of claim 9 , where the action includes: an action to permit a packet that matches the rule; or an action to deny a packet that matches the rule.
12. The device of claim 8 , where the one or more processors are further to: utilize the intermediate node to navigate a detector tree based on the particular bit index.
13. The device of claim 8 , where the particular bit index is based on the source address and the destination address.
14. The device of claim 8 , where the one or more processors, when determining that the source address differs from the destination address at the particular bit, are to: determine that a binary representation of the source address differs from a binary representation of the destination address at the particular bit.
15. A non-transitory computer-readable medium storing instructions, the instructions comprising: one or more instructions that, when executed by one or more processors, cause the one or more processors to: identify a first address associated with a rule for a firewall policy; identify a second address associated with the rule; determine that the first address differs from the second address at a particular bit; create an intermediate node with a particular bit index based on determining that the first address differs from the second address at the particular bit; connect the intermediate node to a first leaf node that stores the first address and information identifying the rule; and connect the intermediate node to a second leaf node that stores the second address and the information identifying the rule.
16. The non-transitory computer-readable medium of claim 15 , where the one or more instructions, when executed by the one or more processors, further cause the one or more processors to: compare the first address to the second address; and where the one or more instructions, that cause the one or more processors to determine that the first address differs from the second address at the particular bit, cause the one or more processors to: determine that the first address differs from the second address at the particular bit based on comparing the first address to the second address.
17. The non-transitory computer-readable medium of claim 15 , where the one or more instructions, that cause the one or more processors to connect the intermediate node to the first leaf node and second leaf node, cause the one or more processors to: add the rule to a detector tree, the detector tree being associated with the first address and the second address.
18. The non-transitory computer-readable medium of claim 15 , where the one or more instructions, when executed by the one or more processors, further cause the one or more processors to: generate a detector tree, the detector tree being associated with the information identifying the rule.
19. The non-transitory computer-readable medium of claim 15 , where the one or more instructions, when executed by the one or more processors, further cause the one or more processors to: utilize the intermediate node to navigate a detector tree based on the particular bit index.
20. The non-transitory computer-readable medium of claim 15 , where the particular bit index is based on the first address and the second address.
Cooperative Patent Classification codes for this invention. Click any code to explore related patents in that topic.
October 24, 2016
July 10, 2018
Browse 5M+ US patents with plain-English claim translations and AI-generated analysis.